Will You be Red Flags Compliant?
When Nov. 1, 2009 comes and goes … will you still be around? By Brad Kelso
AUGUST 2009 O
TEXAS MORTGAGE PROFESSIONAL MAGAZINE
O www.NationalMortgageProfessional.com
The Federal Trade Commission (FTC) deadline for Red Flags Rules compliance has been extended once again until Sunday, Nov. 1. While you are probably aware that you have responsibilities under this legislation, chances are and especially if you’re reading this, you don’t know exactly what your responsibilities are, and/or you have not yet done anything about them. At the same time, you may be asking yourself, “Do I really need to?” The short answer is yes, you need to do something, and the reasons are:
36
1. Because the FTC “said so” as they are serious about compliance and enforcement; and 2. Because the risk of non-compliance is a business killer and not one you want to take (up to $3,200 per incidence of non-compliance). What are the rules and what do you have to do? The Red Flags Rules require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. The FTC determined that mortgage brokers are included under the Red Flags Rule, and they won’t be able to “fake it”—they will actually have to read, assess, understand, document, use new tools, create an audit trail, gain consensus, train and get board approval and here’s a shocker … prevent identity theft! Isn’t there a “turnkey” solution? The simple answer, “Nope.” For months now, starved compliance consultants, vendors, associations, and data/credit companies—ethical and unscrupulous alike—have trumpeted “turnkey” solutions to the Fair and Accurate Credit Transactions Act (FACTA) Red Flags requirements to brokers with
That tidbit number one just saved you about four to six hours of needless reading and assessment because you are not a bank or lender. Second, all but five of the remaining 14 guidelines are alerts potentially detected by existing fraud alerts available through your credit reports or by fraudulent proof of identity—this makes it inexpensive to detect and with thoughtful advice, fairly straightforward to then mitigate. Tidbit number two saves you money and hassle—add at least two sets of frauds alerts to your credit reports and train your loan officers (LOs) to react to the high-risk ones that might appear on a credit report (see how easy this is?)
a fierce vengeance. These so-called “Instant Red Flags Solutions” for brokers have run the gamut of $1.50 for credit report add-ons, to consulting packages upwards into the $4,995 range. Unfortunately, no such ready-made, quick fix exists, though brokers would dearly wish otherwise. Red Flags compliance requires a fairly holistic and custom response at the entity level, no matter how many officers a broker may have. In complete disclosure, my own Third, fortunately, the firm, Informative brokers still left standing Research, a mortgage in the industry either credit reseller, counts have been doing this a itself among the more while (strong experience) altruistic in the group, or are among those in the and offers a credit report latest wave of professionaddendum solution as als (the qualified crazy) well as a sample “Policies who may be exceedingly and Procedures” tem“The FTC detercompetent regarding risk. plate. The two together mined that mortgage Tidbit number three: get you 90 percent there, brokers are included Anyone left standing but do not meet all the under the Red Flags from 2008 (ROCKS!) gets customization elements Rule, and they won’t risk. of the compliance be able to ‘fake it’ …” requirements. Fourth, access to verify But there is good news. A 180-min. investment of your a person’s identity definitively through own focused time can quickly bring you the Social Security Administration is a viable escalation for any broker as an to compliance. In fairness and since you’re late at end point to their efforts (Form SSA 89, this point (and “at risk”), you are still Consent Based Social Verification). Tidbit number four is the “… if all likely able to ‘retro’ your plan if you act quickly; the “do nothing strategy” is the else fails” card. Know it, use it, rely on it (Consent-Based Social Verifications). one to avoid. A broker’s best approach: Three hours of focused efforts, documenting policy and procedures that detect, prevent and mitigate identity theft There are five helpful facts to leverage that effort going forward: First, most brokers will only need to address 54 percent of the scope of the FACTA regulations; by our read that means only 14 of the 26 Red Flags-suggested guidelines apply to a broker’s business, since very few brokers service loans.
Fifth, armed with those facts—limited scope, the experience to respond, and an “end point“ product to validate identity—any broker who focuses their time can document the policies and procedures required to meet Red Flags. Tidbit number five: You can do this and you have to, and you’ll be thankful you did. Without excessive (further) counseling and assuming you can lock yourself away, our recommended three-hour
“hurry up“ answer process goes something like this: 1. Read “most all” of the regulation until you understand what applies to brokers and what doesn’t (20 min.). 2. Read it again—for real—because you’ll need specific understanding to write cogent policies and procedures (20 min.). 3. Focus on understanding the obvious suggested 14 guidelines (of the 26 possible) in Appendix J of the Regulation that directly pertains to a broker’s work (30 min.). 4. Start documenting (writing) a policy that says essentially which of these 14 you will address and why or why not. For nine of the 14, the answer will come from ordering, and then responding to, the fraud alerts that are available on credit reports. The other “two” are related to blatant identification forgery (40 min. using a template). 5. Document (write again) simple procedures (one-pager) for what a loan officer should do if a really nasty alert appears on the credit report or the ID given is clearly a forgery or fictional. Use SSA’s Consent-Based Social Verification (use SSA Form 89 just as you would a 4506-T income validation) as the escalation product (30 min.). 6. With the remaining 40 min., plan and document the remaining compliance steps: Getting sign-off at the highest level, how you do training and annual updating, etc. 7. Share (publish) the final result with all in the shop and follow-up. Following these steps you can minimally stop 75 percent of identity theft and also meet the Red Flags regulation. Brad Kelso is the vice president, director of marketing and product development at Informative Research, with a cumulative 22 years in financial services. Prior to joining Informative Research, Brad led Countrywide’s credit fraud initiatives and system development efforts with credits as a national expert and speaker on “Authorized User Score Fraud.” He is the primary architect of two products related to identity fraud for the mortgage industry. Brad can be reached by phone at (800) 473-4633, ext. 150 or e-mail bradk@informativeresearch.com.